T1574.002 DLL Side-Loading Mappings

Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.

Programs may specify DLLs that are loaded at runtime. Programs that improperly or vaguely specify a required DLL may be open to a vulnerability in which an unintended DLL is loaded. Side-loading vulnerabilities specifically occur when Windows Side-by-Side (WinSxS) manifests (Citation: About Side by Side Assemblies) are not explicit enough about characteristics of the DLL to be loaded. Adversaries may take advantage of a legitimate program that is vulnerable by replacing the legitimate DLL with a malicious one. (Citation: FireEye DLL Side-Loading)

Adversaries likely use this technique as a means of masking actions they perform under a legitimate, trusted system or software process.

View in MITRE ATT&CK®

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name
AC-2 Account Management Protects T1574.002 DLL Side-Loading
AC-3 Access Enforcement Protects T1574.002 DLL Side-Loading
AC-4 Information Flow Enforcement Protects T1574.002 DLL Side-Loading
AC-5 Separation of Duties Protects T1574.002 DLL Side-Loading
AC-6 Least Privilege Protects T1574.002 DLL Side-Loading
CA-7 Continuous Monitoring Protects T1574.002 DLL Side-Loading
CA-8 Penetration Testing Protects T1574.002 DLL Side-Loading
CM-2 Baseline Configuration Protects T1574.002 DLL Side-Loading
CM-6 Configuration Settings Protects T1574.002 DLL Side-Loading
CM-8 System Component Inventory Protects T1574.002 DLL Side-Loading
RA-5 Vulnerability Monitoring and Scanning Protects T1574.002 DLL Side-Loading
SI-2 Flaw Remediation Protects T1574.002 DLL Side-Loading
SI-3 Malicious Code Protection Protects T1574.002 DLL Side-Loading
SI-4 System Monitoring Protects T1574.002 DLL Side-Loading
SI-7 Software, Firmware, and Information Integrity Protects T1574.002 DLL Side-Loading